You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A user may submit an application to a secured YARN cluster if they are authenticated, but the application is run as the user who submitted it. When Elasticsearch's Application Master starts, the remote process no longer has access to the original user's TGT from the client system. This means that the user will need a valid TGT on which ever node the Application Master has landed on in order to access HDFS to prepare containers to be launched.
Instead, we should add the ability to specify the principal and keytab file for the Elasticsearch Application Master to use during its lifecycle, and explicitly authenticate with said credentials when configuring the UGI. This would allow the Application Master to remain authenticated with HDFS without requiring the user to stand up particularly obscure mechanisms to retrieve a TGT.
The text was updated successfully, but these errors were encountered:
A user may submit an application to a secured YARN cluster if they are authenticated, but the application is run as the user who submitted it. When Elasticsearch's Application Master starts, the remote process no longer has access to the original user's TGT from the client system. This means that the user will need a valid TGT on which ever node the Application Master has landed on in order to access HDFS to prepare containers to be launched.
Instead, we should add the ability to specify the principal and keytab file for the Elasticsearch Application Master to use during its lifecycle, and explicitly authenticate with said credentials when configuring the UGI. This would allow the Application Master to remain authenticated with HDFS without requiring the user to stand up particularly obscure mechanisms to retrieve a TGT.
The text was updated successfully, but these errors were encountered: